“DarkGate” malware uses Akamai, AWS DNS records and multiple payloads for cryptomining, credential theft and endpoint takeover.
A sophisticated malware campaign has been identified by an enSilo researcher that hasn’t been detected before and is quite advanced than many of the malware identified before. It has been dubbed as DarkGate by the developer, reports researcher Adi Zeligson. Through this malware, attackers can accomplish a wide range of malicious objectives including ransomware attack, credential stealing, remote-access takeovers, and cryptomining.
DarkGate malware was first discovered on the 27th of December 2017 while its first ever sample was identified byenSilo researchers on the 25th of December, 2017. Currently, DarkGate is being distributed through torrent files and it is mainly targeting Windows workstations.
Having the support of a reactive C&C system, DarkGate is capable of evading detecting even when the user executes it. A majority of the mainstream anti-virus programs are unable to detect it. Moreover, the malware executes multiple payloads to perform so many tasks. It can also remotely control the endpoint.
See: Linux & Windows hit with disk wiper, ransomware & cryptomining Xbash malware
The torrent files, according to enSilo’s blog post are responsible for distributing this malware are disguised as famous entertainment offerings such as The Walking Dead and Campeones, etc. However, actually, these files execute infected VBscripts on the victim’s computer. After infecting the machine, the malware first interacts with the C&C server to initiate the mining process and later it performs several other attacks.
A majority of the targets are identified in France and Spain, but its scope is quickly spreading across Europe. The author of DarkGate has also created a reactive C&C system which immediately responds to new notifications from the malware regarding new infections with crypto wallets. If the operator identified an interesting activity by any of the executed malware, the next stage followed is to install a customer remote access tool on the computer. This let the operators carry out manual operations.
According to enSilo researchers, they were able to determine that the operator detected their activity and responded immediately by infecting their test machine with a customized ransomware. Researchers believe that the malware author has spent considerable time in making the malware undetectable through equipping it multiple evasion techniques.
See: Massive ransomware attack forces authorities to use typewriters
One technique that the malware uses is the “user-mode hooks bypass,” which allows the malware evade detection from different anti-virus programs for the lengthy timespan. Moreover, the reactive C&C system is shrouded in authentic DNS records from legitimate services such as Amazon Web Services and Akamai CDN to prevent reputation-based detection.
“It is clear that DarkGate is under constant development for it is being improved with every new variant,” researchers noted in their official blog post.
The malware can also prevent the elimination of critical files using customized recovery tools. Moreover, it uses two different UAC (User Account Control) bypass techniques to gain privilege escalation. Researchers also claim that DarkGate seems to be linked to another previously identified password-stealer dubbed as Golroted.
However, DarkGate’s password-stealing mechanism involves the use of NirSoft tools that can swipe user credentials as well as browser history and cookies, and Skype chat.
It is also apparent that attackers are more interested in cryptocurrency credentials. Fellow researcher Roten Kerner adds that the malware looks for “specific strings in the names of windows in the foreground that are related to different kinds of crypto wallets” used for trading on various crypto applications and websites.”